![\"Identity](\"/knowledge-base/assets/images/connections-89e8b68b6d95f4765f831fc4c07af1e0.png\")
Authress Tenants exist to group users together to improve the login experience for your users. Users from the same company or business unit will often have SSO setup. To give users a seamless SSO login experience, the correct configuration must be provided. This configuration is specified in the Authress Tenant connection resource.
In some cases however, and usually when a company has not yet logged into your solution before, a tenant might not exist yet. An example might be if you have configured the Google or Microsoft Entra connections. In these cases, a user can log in with their SSO corporate identity provider without first configuring a tenant in your Authress account.
In those cases, Authress now provides a way to capture their tenant configuration and automatically generate a tenant resource with the appropriate configuration. That generated tenant will be assigned to the user and available in the user's generated tokens in the aud claim. See Tenants for more information.
The default configuration in Authress is to not automatically generate a tenant. The automatic generation of resources can cause confusion and add noise to accounts. That being said, there are scenarios where it would be valuable to have the generated tenant automatically. To set this up, specify the Tenant Configuration for the relevant connection. To use the tenant specified by the identity provider, select Passthrough as the tenant assignment option.
![\"Use](\"/knowledge-base/assets/images/passthrough-4d30b63bf48721338f9cbaba60137277.png\")
To see how Passthrough tenant assignment might work in practice, consider a user associated with a Google Workspace account. In their account their Workspace Tenant defined by the HD property from Google Login, will be populated with their domain:
{
\"iss\": \"https://accounts.google.com\",
\"aud\": \"1234567890-123456789abcdef.apps.googleusercontent.com\",
\"sub\": \"12345678901234567890\",
\"exp\": 1745365295,
\"name\": \"Example user\",
\"given_name\": \"Example\",
\"family_name\": \"User\",
\"hd\": \"example.com\"
}
Once this user has completed login, a new tenant will be created:
![\"Passthrough](\"/knowledge-base/assets/images/tenant-c0b15b31eb66717a66a85cfb68dbbfd5.png\")
Additionally, all subsequent users from the same organization will also get assigned to the same tenant.
Authress has automated away the Login configuration experience. Our goal has always been to reduce the complexity in getting every part of authentication correct.
One of the remaining areas of issue is the automatic tenant selection. Users that do not have a configured SSO tenant, and do not know which identity provider to pick, might enter their email into the SSO email field:
![\"Login](\"/knowledge-base/assets/images/error-message-6d14d0db0603a030abe7564720aa9b80.png\")
When doing so, by default they would be met with the error Domain gmail.com is not configured for SSO. While this is accurate, correct, and also translated into the local language for the user using the Automatic Locale Selection feature, we've identified that this is unhelpful. So we should take this even further.
In every case, the user has an email, in many of these cases the user's email is tied to a provider that is both:
In these cases, we can use the properties of the email domain to identify which identity provider the user is a part of.
For example, in the case of test@gmail.com the domain is gmail.com which is clearly Google Login. Rather than conveying to the user that there is no domain configured, we can automatically start the login process with that domain instead.
That is a trivial case, however for other scenarios which are not so obvious, often we will resort to the MX records associated with the email domain. For a real world scenario, let's review the usage if the authress.io domain was used.
dig MX authress.io +short | cut -f2 -d' ' | sort
aspmx.l.google.com
aspmx2.googlemail.com.
aspmx3.googlemail.com.
alt1.aspmx.l.google.com.
alt2.aspmx.l.google.com.
Here we can see that Google Workspace is being used. And in that case we can automatically redirect a user with the email domain to the Google Workspace login. When the user enters their email as test@authress.io, they will get automatically redirected to the Google Workspace login:
![\"Automatic](\"/knowledge-base/assets/images/automatic-prompt-9b0ec03d4fecd87094e7337c6099e0a8.png\")
Because this configuration is mutually exclusive with the other fallback mechanisms, it has to be explicitly enabled. To enable, set the Fallback mode for the Authress Management Login Box to be the value Predict IdP using Domain.
![\"Authress](\"/knowledge-base/assets/images/configuration-3ce8dbc32a2f7f8653bdebcdce36b94a.png\")
Note: Only an identity provider that is enabled for the managed login screen will be selected. In this case if the Google Workspace OAuth connection was not enabled, then it would not have been selected. This prevents unexpected login scenarios from your users.
At the time of the release, the supported providers are Google Workspace, Microsoft O365, and Zoho. If the one you are looking for support for another that listed, just reach out to our support to make a language or locale support request.
Authress has automated away the Login configuration experience. Our default managed UI was already fully customizable, and now it comes with translations for over 26 languages including regional locales.
![\"Customized](\"/knowledge-base/assets/images/login-language-switch-79aa05b82cbb23e919c078f56843f62b.gif\")
The customized login screen language is dynamically selected based on your user's preferred language and locale.
At the time of the release the supported locales are these, and more are coming. But if the one you are looking for isn't listed, just reach out to our support to make a language or locale support request.
Current list:
af - Afrikaansbn - Bengalida - Danishde - Germande-AT - German | Austriade-DE - German | Germanyde-CH - German | Switzerlanden - Englishen-AU - English | Australiaen-CA - English | Canadaen-GB - English | United Kingdomen-US - English | United Stateses - Spanish es-AR - Spanish | Argentinaes-CL - Spanish | Chile es-MX - Spanish | Mexicoes-ES - Spanish | Spainfr - Frenchfr-BE - French | Belgiumfr-CA - French | Canadafr-FR - French | Francefr-CH - French | Switzerlandit - Italian it-IT - Italian | Italyit-CH - Italian | Switzerland ja-JP - Japanesepl-PL - Polishpt - Portuguesept-BR - Portuguese | Brazilpt-PT - Portuguese | Portugaluk-UA - UkrainianAuthress has automated away the Login configuration experience. Instead of having to build your own login screen, Authress supports a managed version for you to configure.
![\"Customized](\"/knowledge-base/assets/images/customize-login-cbc3867c621711cfca7ecf904b92d87a.png\")
The customized login screen is dynamically generated from account configuration. And allows further customization based on:
Previously the managed login screen had only one set of colors that could be applied. With this release, the managed UI supports the css function light-dark() via the color-scheme: light dark. This means that whatever the color scheme preference of your users is, the managed login UI will automatically update to display your selected theme.
The light and the dark theme configurations are now available via the Authress Management Portal
![\"Dark](\"/knowledge-base/assets/images/light-dark-theme-a2d3649a148c4029d3c1fc2fa4a88477.gif\")
Authress Tenant selection enables your users to be automatically redirected to their own corporate identity provider during authentication.
Authress optimizes for the User Experience. To do this, Authress attempts to keep your users logged even when the token expires. This is known as Silent Authentication By default, Authress generated JWTs expiry after 24 hours, and session expiry after 30 days. This may not be long enough or too long in some circumstances.
To handle compliance and regulatory requirements. Authress now enables changing the default token and auth session expiries to meet your customers' exact needs. With this release, the Authress Tenant token configuration, can be provided to change one or both of these lifetimes. This configuration is available either through the SDKs and the Authress API or through the Authress Management Portal in the SSO Tenant Provider configuration.
When configuring an SSO Tenant in the Authress Management Portal, navigate to the advanced tenant configuration, and specify values for the Token Configuration:
![\"Tenant](\"/knowledge-base/assets/images/tenant-token-configuration-7eb1abc597d58bb03164f6bd405e18ad.png\")
Authress Tenant selection enables your users to be automatically redirected to their own corporate identity provider during authentication. Some users will prefer public federated providers, such as Login with Google, but for those where SSO provides critical security, tenants are the preferred solution. Authress supports custom Tenant and Identity Provider selection based on either the Tenant ID or the Tenant Lookup Identifier. Often these might be a commonly available customer subdomain or a custom domain for your platform. In some cases, you might have customers with multiple email domains in the same organization or customer tenant. Common examples include when a customer has multiple business units and each business unit has their own email domain. Users from either business unit who should be part of the same tenant, should be automatically mapped based on any number of different email domains.
With this release Authress now supports multiple domains, by default up to 10 different eTLDs. This configuration is available either through the SDKs and the Authress API or through the Authress Management Portal in the SSO Tenant Provider configuration.
When configuring an SSO Tenant in the Authress Management Portal, now, the option to select the Tenant's email domains is now available:
![\"Multiple](\"/knowledge-base/assets/images/tenant-email-domains-d5fa53a9ec65a503a1dc3fee02d5d5cd.png\")
This functionality will be activated when one of your users in one of your tenants attempts to log in with their email in the Authress Managed Login Screen. In this case, we can see company.com being entered, and the correct tenant will be selected based on that email:
![\"Customizeable](\"/knowledge-base/assets/images/login-box-3ca992379486cae52d776db0c9ff8647.png\")
Link user identities automatically when the user signs up for a more seamless user experience. Starting today, Authress provides a new configuration option allowing for the automatic linking of user identities. When a user signs up with a new account, if that account identity passes our first level security checks and matches an already existing user identity saved in Authress, then Authress can link these.
![\"Identity](\"/knowledge-base/assets/images/connection-configuration-78db357ce036f3ce24707ece1e890a89.png\")
User identity linking supports the following three modes.
Do not link identities and do not allow users to link identities manually. This options should be used by default in Business Contexts, when user identities and data is owned by a business.
Allow users to link identities by utilizing the Link Identity API via loginClient.linkIdentity() call in the Authress Login SDK. More details about how to do this can be found under linking user identities in the Authress Knowledge Base.
Authress will attempt to automatically link user identities when available. Authress will utilize the email address of the identities as well as other key properties to decide if it is safe to link. In the case that it is Authress will automatically link the identity.
Authress automatically provides an audit trail of access to all your resources. Every authorization request and every user login is tracked and streamed to one of our cloud technology partners. For example AWS and GCP both have first class integrations, and you can review their respective guides.
There are many types of events, such as Login and User Authorized. These events are now available in the Authress Management Portal. The dashboard contains a list of the most recent requests to Authress and their result as well as aggregates for the types of requests, their responses, and your most frequently used resources:
![\"Authress](\"/knowledge-base/assets/images/audit-trail-dashboard-634d5801e14e8a0b3dcb9a5d9160d989.png\")
Authress supports new configuration for security keys, multifactor authentication, and passkeys.
Until now, you've been accustomed with the Authress authentication login box.
Authress now supports Hardware and software keys with any connection, users can add any number of additional keys to their account to be used as a second factor. These can be and should be used when any federated or social provider is enabled and your users don't want to trust solely a single provider for their identity. Additionally, in some regulated spaces, you might need a FIPS certified strategy for authentication.
User configured security keys:
![\"Security](\"/knowledge-base/assets/images/security-keys-6d342eb9e9dd097da231ecd1df7906d4.png\")
Next, Authress also supports this same MFA strategy. To improve the security of your Authress account itself, you can add multiple MFA keys to your login, through the Security Keys profile option via the Authress Management Portal:
![\"Authress](\"/knowledge-base/assets/images/authress-security-keys-b16caa3627bec2e20785a6a38ec7eb02.png\")
Lastly, we've enabled Passkeys as a first factor as well. Now, those same security keys can be used to authenticate users without needing a username and password. Passkeys are the only truly safe passwordless authentication strategy.
Enable passkeys for your available login connections in one step on the Authress Identity Connections screen.
![\"Enable](\"/knowledge-base/assets/images/enable-passkeys-d82b0774f98dd29d1bafc956b211e201.png\")
Authress supports authentication and authorization among other first-class features. Where possible, it is better to accept these identity providers through Authress using an Identity Connection.
However, you may wish to continue using your existing authentication provider with Authress when switching to Authress authentication is not possible. In these cases, because most identity providers do not support granular authorization and permissions management, it is a common augment your existing authentication and identity provider (IdP) with Authress Authorization and access control.
This configuration in Authress is called OIDC External Trusted Identities, and starting today, these identities can be used to generate custom user IDs.
Until now, when using an external trusted identity, the User ID was required to be the sub claim of the provider's generated JWTs. Now it can be any claim found in the JWT and that resultant User ID can also have a custom prefix.
This helps disambiguate different providers that have overlapping User ID spaces, allowing you to better restrict access to a single unique user ID.
Check out the new User ID Expression attribute available both through the API and in the Authress Management Portal:
![\"External](\"/knowledge-base/assets/images/user-id-expression-5678481dea7dfb0e7672650aea79f10d.png\")
This configuration would generate a User ID google|1000-google-user-id.
The default limit for the number of allowed groups and access records has been increased from 100,000 to 2 million. This change applies for both Groups and Access Records.
Before this change, searching for Access Records or Groups using the search query dialogs in the Authress Management portal, might not have returned exactly the correct results. However, starting today, a high usage of access records or groups when searching will now be a much better experience. It's important to clarify, more complex queries will always take more time to complete.
If you're interested in using this improved functionality via one of our SDKs as well, we would love to hear about it.
We still plan to roll out additional improvements in the near future, so stay tuned. As always, if you run into any issues with the portal, please reach out to our development team via our Support Page so we can get those issues resolved.
Through our ongoing efforts to make the Authress Management Portal easier to use, nicer to use, prettier to use. We've introduced the following improvements.
Until now, when one of your users had a picture claim associated with their user identity, it would not show in the portal. Now all safe user icons will be automatically displayed.
![\"User](\"/knowledge-base/assets/images/user-explorer-icons-00d6ed394acc6c34f91f2cb43ca301c8.png\"){kind=icon}
Profile pictures will be displayed if the images for the user are sourced from one of the following locations:
There are more coming to this list. However, not all pictures will be automatically shown. This is because not all image hosting locations are secure, and if a malicious image is uploaded to that location, and isn't validated, showing it to you in the management portal creates an attack surface. For this reason, be careful of media platforms that allow users images to be shown to you without taking the necessary security precautions. If there is a source location you would like added to this list and we can verify that provider is taking the necessarily precautions with shared images, it will be added.
Access Records resources dropdown will now dynamically populated with suggested resources. This makes it easier to filter and find the resource URI that are looking for. It also helps to avoid potentially guessing when the resource isn't present.
![\"Access](\"/knowledge-base/assets/images/access-record-resources-e1dc1da8fd584c8565ab15cd410f3667.png\")
Just as environment were displayed before, now all Authress related resource tags will be visible in the portal as well.
![\"Resource](\"/knowledge-base/assets/images/all-tags-355e7453a462a3395211863f1290d76d.png\")
The Authress SDK for python version 3.0 is now available. For details regarding the changes see the SDK Changelog.
The primary improvements are:
typings package.The Authress Access Analyzer is our way of giving you the advanced tools you need to answer the complex authorization question you might have.
Questions such as:
While these actions are at the forefront of Authress authorization checks and done usually via one of the Authress SDKs, getting answers to these questions directly in the Authress Management Portal, makes it so much easier.
This release includes two new features for the Access Analyzer.
When a user has access to a resource via an access record, the Access Analyzer now shows that linked access access record as well as the role that granted the access.
![\"Linked](\"/knowledge-base/assets/images/linked-access-record-ba9ee76d5c9388ccff89053a27195720.png\")
After each access check the Authress UI will now save and display these checks to make it easier to see what was just validated. This makes it possible to compare a list of authorization checks for anything that might not be working correctly.
![\"Authorization](\"/knowledge-base/assets/images/access-check-history-f74a7598558e78ba74fe03923e99be84.png\")
The Authress API endpoint for querying users /v1/users now accepts filtering by a tenantId. This enables custom user workflows based on your customer's accounts.
Your customers accounts can be grouped by an identifier known as a Tenant. A Tenant is a logical source of users for your application. Usually Tenants map one-to-one with your customers. Each of your customer accounts has users that log into your application. During the use of your application there may be a need to fetch all the users that also belong to that same customer account.
This can now be done by passing in the tenantId query parameter to the List Users endpoint.
Authress has automated away the Login configuration experience. Instead of having to build your own login screen, Authress supports a managed version for you to configure.
![\"List](\"/knowledge-base/assets/images/list-users-api-ce60c41857c1b5bd71ec284853e5b82e.jpg\")
Authress introduces Vanishing Keys. Vanishing Keys is an open source one time secret store to enable ease of secret transfer.
In most cases, secrets should be generated and stored by the creator of the secret. And where possible secrets should only be generated at runtime. For this solutions such as a Key Management Service exists.
However, this is not always possible, and we need to transfer ownership of a secret from one person to another.
More details about how the Vanishing Keys service works is available in the documentation, but the important part of this new Authress service is that it provides 100% client side encryption. The secret and secret passphrase never leave your browser unencrypted.
![\"Authress](\"/knowledge-base/assets/images/vanish-3a76ec109b030f3c396a3db045c6e4ba.png\")
![\"Authress](\"/knowledge-base/assets/images/vanish-with-secret-671ccde6f8427d6a5f51a159cbcf3ac3.png\")
![\"Authress](\"/knowledge-base/assets/images/vanish-diagram-a14b4ccb2393b49c1aa8dbd9cad0d15e.png\")
To enable increased security and reliability Authress offers the ability to set a Custom Domain for your account. A Custom Domain enables your services to interact with Authress on a domain that you control. Any domain you own can be set. That domain will be used for:
Historically, only one domain could be configured per account. In most cases you will only want a single domain, since it can create complex additional scenarios to deal with. For example, if valid tokens created by Authress now can be signed with either of two possible domains, now your services need to deal with two possible JWT Issuers.
In some cases this is intentional though, or perhaps you are in the process of rebranding, and need more than one domain to be active at the same time. Because of that, Authress now offers support for multiple simultaneous domains.
![\"Enable](\"/knowledge-base/assets/images/custom-domains-772c3e3ff4be945ce561f7ec7c29b678.png\")
Starting today multiple wildcard support is globally available. Requests to check authorization can include multiple ✶ anywhere in the resourceUri. Requests to the authorization check endpoint accept resourceUris for example:
/resources/✶/nested-resource/✶namespace:✶/resources/lower-namespace:✶/nested-resourceTo further support this functionality the List user resources endpoint now accepts a new parameter Collection Configuration that explicitly enables the type of collection result a request expects.
The original functionality was to only return immediate top level resource matches to a request. This functionality remains the default. When searching for /resources/✶, the result will be a list of matching resources: [ 'resources/001', 'resources/002', ... ].
The endpoint now supports INCLUDE_NESTED.
![\"API](\"/knowledge-base/assets/images/api-resource-list-e54ee43c255b9da42ad9684563fe2176.png\")
Specifying this value cases deeply nested resources to also be returned. A request for /resources/✶, will return: [ 'resources/001', 'resources/002/sub-resource/✶', 'resources/003/sub-resource/003' ]. And additionally requests can include multiple wildcards: /resources/✶/sub-resources/✶, will filter by both resources and sub-resources.
What's great about this new functionality is that users with access to ✶ will also successfully return results. Having access to all resources templates the result. ✶, with a search for /resources/✶ will return [ '/resources/✶' ], making it easier to utilize these results without adding extra filtering logic.
Authress has automated away the Login configuration experience. Instead of having to build your own login screen, Authress supports a managed version for you to configure.
The customized login screen is dynamically generated from account configuration. And allows further customization based on:
This is purely add-on functionality. Login for regular apps will continue the same as it has been, and your users will not see any difference. You can continue to directly overwrite the default Authress Login Box by passing the connectionId to loginClient.authenticate() call in the Authress Login SDK.
For platform extensions, the default login experience has just been upgraded. If you didn't already have a customized login screen for third party extensions, the Authress managed version will automatically be provided without any additional configuration necessary on your side.
Authress now supports automated resource creation and configuration via Terraform.
![\"Terraform](\"/knowledge-base/assets/images/terraform-branding-68030cf36e5fb0b7e76ed59e644bf354.png\")
To support a more streamlined integration, Authress offers guides for Terraform as well as OIDC CI/CD guides for GitHub and GitLab. These CI/CD guides make managing Authress resources securely a simple matter without needing to be a security expert.
Additionally, Authress has released a quick setup guide for OIDC. The guide steps through the flow to secure a CI/CD pipeline automatically without needing to create an Authress service client. Instead, Authress supports the dynamic credentials that are generated by your CI/CD platform to log into Authress. Follow the relevant OIDC CI/CD for more details.
Starting today, the statements in an access record, can now additionally specify both users and groups.
Historically, users and groups were only available as properties of the access record, which meant all statements applied to all users and all groups. This made it easy to support having one group of users with many statements. Additionally, access records could be directly associated with a user so that it was clear that changes to an access meant changes for that particular user.
To change a user's permissions, it was as simple as looking up the access record with the same ID as the user:
const record = await authressClient.records.getRecord(userId);
And then making necessary changes to that record.
However, when multiple users each needed different access to the same resource, multiple access records would need to be configured. One for each set of permissions. This was because all statements in the access record applied to all users in the record. To have different permissions, separate records would be created, each with the separate set of users.
Now, access records can directly specify which statements should be applied to which users.
Instead of listing the users at the record level:
![\"Access](\"/knowledge-base/assets/images/users-screen-382a56643ab46a0c0605628b6f1fc5a3.png\")
Toggle the Enable statement level user assignment switch:
![\"Enable](\"/knowledge-base/assets/images/user-statement-switch-b6e4dfcb6f07de40f2d01c7fa402d5e3.png\")
And then enter the users in the statement section of the record. Each statement can have separate users:
![\"Access](\"/knowledge-base/assets/images/statement-users-9f4d3a044f0b97031c0248dd2cd22309.png\")
A new menu item is available in Authress to quickly create new commonly used flows. These flows are knows as Quick Setup Guides and will be populated frequently used options.
![\"Authress](\"/knowledge-base/assets/images/menu-item-5bd225cd16993ae987533b19e4851a7c.png\")
See the Quick setup guides.
The first released setup guide is for authentication. The guide steps through the flow to create an application, a connection to an OAuth identity provider, and provides example UI code to directly log a user in.
On the completion of the flow you can already start managing user identities.